alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity M4"; flow:established,to_server; urilen:<37; http.uri; content:"/api/Core/Command/Add/Schedule/"; startswith; fast_pattern; pcre:"/^(?:True|False)$/R"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"Authorization|0d 0a|"; threshold:type limit, count 1, seconds 300, track by_src; reference:url,nextron-systems.com/2024/01/29/analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor/; reference:md5,6fd5d31d607a212c6f7651c79e7655a3; classtype:misc-activity; sid:2050676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_02_01, deployment Perimeter, malware_family FalseFont, confidence High, signature_severity Critical, tag TA451, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_05;)